TRAININGS

Virtualization Security

Securing your Virtualized Enterprise

Instructor and Course Author: Tim Pierson 

Introduction 
In the “know” security managers will tell you that a virtual system can actually be made more secure than their physical counterparts. The trouble is that it is not secure out of the box taking all the defaults. The author of this course claims he can be in your system in less than 5 minutes if you took all the defaults during a standard ESX/ESXi installation, this includes vSphere5.  He will prove it during class!

While virtualization does provide greater benefits to speed, accessibility, cloud etc., most administrators take a casual view in securing them. There are new and ever present dangers that must be managed or mitigated. It is imperative that your virtualization administrator be made aware of these threats.  All of these can be managed by understanding these technologies as well as careful design and implementation with regard to access controls, user permission and traditional defense in depth mechanisms. 

Course Description:

  • During this 2 day course the student will gain an in depth knowledge of exactly how important this is by actually attacking live VMware ESXi servers of various versions. 
  • Attendees will learn about every aspect of locking down ESXi servers and the vCenter management server, as well as best practices for securing the virtual machine guests that reside on ESXi platforms. 
  • We will map out all the latest virtualization networking techniques in detail, laying out proven strategies for proper separation with various means from physical networks, to vLans, to pvLans as well as some of the newer cloud technologies such as VCDNI, how vCloud Director uses it and how safe protocols such as that may or may not be. We will cover both virtual switching and routing at layer 2 and layer 3. 
  • At the conclusion of this course you will have a comfort zone and the necessary know how to build virtual DMZs and integrate with existing network infrastructure. The course will cover the very latest technologies such as Host Profiles, vShield Edge, Endpoint, and Application where they will be comfortable sketching out their strategy to the cloud.  We will also provide limited exposure to vCloud Director from VMware which is what our lab runs on.
  • We will provide insight into the latest 3rd party products available for VMware and why you may or may not need them. We will provide extensive information about compliance and how it can be achieved. Whether that is HIPPA, PCI, DISA, SOX, and how all these can be achieved and the best news is that sometimes it is more easily acheived through virtualization.
  • We end with strategies to maintain compliance-focused controls using VMware and a few things that will easily trip you up like change and configuration management, separation of duties, and the concept of least privilege.

Targeted Audience 

  • Network and Virtual Administrators primarily running ESXI as their virtual environment and who need to understand the flow of data (thus to secure it) in the virtual and cloud environment. 
  • Security personnel who need a better understanding of securing VMware virtualization technologies
  • Compliance, Legal and other Technical auditors and consultants who need to have a firm understanding of VMware virtualization from a security and compliance perspective 
  • Designers and Decision makers who need a secure road map to the Cloud!

Course Outline 
Learn what makes vSphere security such an important topic for you and your company. You’ll find out what the course will cover as well as the basics of building a vSphere lab that you could use to practice the configurations you’ll learn in the course.

Introduction to Information Security Concepts 
This lesson provides a fundamental base of understanding for system and information security, specifically as it relates to virtualization security. 

  • The Many Layers of Security in a Virtual Environment 
  • The Fundamentals: A Security Primer 
  • Authentication, Authorization, and Accounting
  • Standard Terminology
  • CIA: Confidentiality, Integrity, and Availability – The Basic Security Triad Plus a few more
  • The Different Shapes and Sizes of Potential Attackers
  • The Steps of an Attempted and/or Successful Attack 
  • The Process for Developing and Maintaining Good Security
  • Popular Security Tools

Security Priorities in a Virtual Environment 
Explore how security is different a virtual environment, dispel common virtualization security concerns, find out the impact of security in a virtual infrastructure, and learn what VMware is doing about security.

  • Is Virtualization Secure?
  • Is the Hypervisor a Security Weakness? 
  • Encapsulation
  • Common Worries about Virtualization Security
  • Types of Security Threats
  • Impact of Virtualization of Security 
  • What is VMware Doing about Security?
  • Regular Tasks a Good Admin Should Perform

Security Technologies 
In this lesson you will learn technologies, features, and options for securing your vSphere environment. You will also learn how to control who has access to your virtual infrastructure as well as how to keep maintain that level of security for the long term.

  • What Do I Need to Protect What?
  • Pairing Assets to Security Technology
  • vSphere Authentication
  • Who Has Access to Your Environment?
  • Creating Local VSphere Users
  • VSphere Host Authentication
  • Integration with Active Directory 
  • The VI Firewall
  • Integrating Security in with the Hypervisor by Using the VMsafe API
  • Using vShield to Secure Application and Guests
  • Keeping Hosts Updated with Update Manager

vNetwork Security Architecture in Hostile Environments such as a DMZ
This lesson will give you an overview of how security impacts the selection, deployment, and management of the vNetwork. Also details recommendations and common mistakes seen in production environments.

  • Deployment Types for Different Trust Zones
  • Partially Collapsed with Separate Physical Trust Zones
  • Partially Collapsed with Separate Virtual Trust Zones
  • Fully Collapsed Trust Zones
  • Top 10 Common Mistakes and Recommendations
  • Security Considerations with the Standard vSphere vSwitch
  • Security Considerations with the vSphere vdSwitch
  • Layering Additional Security and Functionally with the Cisco Nexus 1000v 
  • Protecting Your Management Communications
  • Isolating Management

Securing vNetwork Configuration 
Learn about implementing vNetwork security with features like VLANs, PVLANs, and trust zones.  Also, you will get an introduction to security features using the Cisco Nexus 1000v Distributed Switch.

  • Security Considerations in Your vNetwork Design
  • Configuring the vNetwork for Different Trust Zones
  • Implementing VLANs and Network Separation
  • Using and Configuring Private VLANs (PVLANS) 
  • vSwitch Security Configuration
  • Using and configuring the vSphere dvSwitch
  • Configure Physical and VM Port-Groups

Protecting vCenter 

Cryptography Decrypted

  • Encryption Overview
    • Encryption is the process of obscuring information to make it unreadable without special knowledge – a key!
  • Encryption Algorithm
    • A formula used to turn ordinary data, or "plaintext," into a secret code known as "ciphertext." Each algorithm uses a string of bits known as a "key" to perform the calculations. 
  • Implementation
  • There are two main methods of implementing Symmetric encryption:
    • Block ciphers 
    • Stream ciphers.
  • Asymmetric  vs. Symmetric Encryption
  • Symmetric Algorithms
  • Crack Times
  • SSL Hybrid Encryption
  • Asymmetric encryption’s biggest flaw is that it is inefficient for large amounts of data.
  • Symmetric encryption’s biggest flaw is the secure transfer of the key.
  • Hashing
  • Hash Collisions
  • Common Hash Algorithms
  • Message Digest Family
  • Hybrid Encryption
  • Levels of Certs
  • IPSec

Working with SSL Certificates 
This lesson discusses how to use SSL Certificates, whether from a certificate authority or self-signed, to secure vCenter communications.

  • An Overview on How SSL Works and Why We Use It
  • How VMware Uses SSL – Can you say Self Signed Certificates?  Are they safe?
    • This Author will say YES!
  • Example of an SSL Negotiation and where the weakness lies
  • Let’s Talk About Digital Certificates the real truth.
  • Getting Rid of That Annoying SSL Warning when logging into vCenter.
  • Using Internal Versus Generating “Real” Certificates
  • Protect Your Certificates!
  • Installing Your Own Certificates from a root level Authority

Hardening the vCenter Server System 
Appling a form of security’s triple defense. 

  • Authentication
  • Authorization
  • Accounting

Hardening the underlying operating system, vCenter, and the vSphere Client. 
Finally, find out how to monitor vCenter logs to know that the infrastructure is secure. 

  • Authentication, Authorization, and Accounting with vCenter
  • Best Practices for Deploying and Protecting vCenter
  • Hardening the Underlying Operating System
  • Don’t forget the vSphere Client!

Controlling Access to Storage 
Shared storage is mostly required by advanced vSphere features. So, you implemented it and put all your virtual machines on it.   But, is it secure? 
Learn how to secure fiber channel, iSCSI, and NFS vSphere storage.

  • Common Security for All Protocols
  • Learn about new concepts from an old era called protocol isolation.
  • Fiber Channel: Zoning and LUN Masking
  • iSCSI: CHAP and LUN Masking
  • NFS (Network File System)
    • Everyone will agree it is the most flexible, but is it the most secure?

Hardening ESXi Host Systems 
Based on the vSphere security hardening guide, this lesson shows you, step by step, how to take a base ESXi installation and give it heavy-duty security.

  • ESXi Hardening – Enabling ESXi Lockdown Mode
  • Tech Support and Remote Tech Support Configuration
  • Common Hardening – Isolate the ESX/ESXi and vCenter Management Networks
  • Enabling Certificate Checking in vCenter. 
    • If you have upgraded from previous versions without performing a “Scorched Earth” technique you may be vulnerable to a very blatant flaw that takes 2 seconds to fix but if you don’t know about it, it could cost you everything!
  • Configuring CA Signed Certificates 
  • Configure SSL Timeouts

Virtual Machine Security Architecture 
Find out the enhancements to security that virtualization brings, the challenges that virtualization introduces, and the common OS hardening needed for virtual machines.

  • Virtual Machine Isolation
  • Virtualization Security Enablers
  • Virtualization Security Challenges 
  • Operating System Security Best Practices

Hardening Virtual Machines - Best Practices 
Learn how to apply real-world proven virtual machine security practices in your infrastructure, step by step!

  • Use a Firewall or Access Control Lists
  • Use an Antivirus Solution
    • Better yet use one built into the Hypervisor
  • Use VMware Update Manager.
  • Standardize your Host configuration with Host Profiles.
    • If you don’t have Enterprise Plus we will show you how to do it with a PowerShell script!
  • Limit Who Has Console Access
  • Do Not Use the VMCI if Possible
  • Isolate VMotion and/or FT Networks
  • Use vCenter Roles 
  • Use Virtual Machine Log Rotation
  • Turn off or Disable Unneeded Services
  • Turn on Auditing and/or Logging
  • Don’t Have Enterprise Plus?  No Problem we will show you a power shell script that will do the same job.

Understanding and Managing vSphere Logs 
A critical piece of any security monitoring is the proper monitoring and alerting of security events. Find out how to monitor vSphere security logs, how to retain those logs, and how to use vCenter alarms to make sure you know when security events occur. 

  • Monitoring Log Files for Security
  • Where vSphere Stores Local Log Files 
  • Using Syslog for Logging Repository
  • How to Monitor and Retain Log Files for Auditing Purposes
  • Using vCenter Alarms for Security Monitoring
  • Monitoring vSphere Configuration Files
  • Aggregating Log Files – A Demo of Splunk

vShield: App, and Edge 
VMware’s vShield is a suite of virtualization security products designed to keep your virtual datacenters secure, ESXi hosts secure, the edge of the network secure, and even you’re VM apps secure. Find out how it works, what it can do for you, and how to implement vShield zones in your vSphere infrastructure.

  • An Overview of the vShield Suite
  • Centralized Management of the vShield Suite Using vShield Manager
  • Protecting Virtual Machines with vShield App
  • Deploy the vShield Manager 
  • Deploy Agent VMs

Secure Automation through Power Shell

  • Learn how PowerShell can be used as configuration device
  • Learn how PowerShell can be used as a compliance device
  • Learn how PowerShell can correlate data and tell you what is wrong

Quick Overview of VCops and what it has to do with Security

  • We will discuss what VCops is and what is can accomplish
  • How most licensees’ of VMware already have it, but are not using it.
  • Taught by the instructors whom VMware themselves hired to do its worldwide roll out to of its top resellers, Tim Pierson and Doug Morato

Price: 2,000,- Euro

Date: February 10th ot 11th 2014 - the two days before IT-Defense conference. 

Location: 
Hilton Cologne Hotel
Marzellenstrasse 13–17
50668 Köln, Deutschland
Telefon: +49 (221) 130710
Fax: +49 (221) 130720
E-Mail: info.cologne(at)hilton.com
www.hilton.de/koeln